Understanding the AD FS Web Agent Role Service

The Active Directory Federation Services (AD FS) Web Agent
is a role service of AD FS that you can install independently
from other AD FS role services. The act of installing the
AD FS Web Agent role service on a computer makes that computer
an AD FS-enabled Web server.

AD FS-enabled Web servers consume security tokens and
either allow or deny a user access to a Web application. To
accomplish this, the AD FS-enabled Web server requires a
relationship with a resource Federation Service so that it can
direct the user to the Federation Service as needed.

The AD FS Web Agent can be used for two different types of
applications:

Claims-aware applications: a Microsoft
ASP.NET application that is written to published AD FS objects
that allow the querying of AD FS security token claims. The
applications make authorization decisions based on these
claims.

The AD FS-enabled Web server also stores Hypertext Transfer
Protocol (HTTP) cookies on clients where the cookies are necessary
to facilitate single sign-on (SSO). The AD FS Web Agent
comprises two separate components:

AD FS Windows Token-Based Agent Extension

AD FS Web Agent Authentication
Service

AD FS Windows Token-Based Agent Extension

The AD FS Windows Token-Based Agent Extension is an
Internet Server Application Programming Interface (ISAPI) extension
that you can use to configure information in the Internet
Information Services (IIS) metabase. In IIS Manager you can use the
Federation Services URL and AD FS Web Agent property
pages to administer policy and certificates that verify the
AD FS security token and cookies.

The AD FS Web Agent properties in the following
table are inheritable. These properties are required on an IIS
resource if the ISAPI extension is going to support the
WS-Federation Passive Requestor Profile (WS-F PRP) protocol.

Properties

Description

Federation Service URL

The Uniform Resource Locator (URL) of the Federation Service.
This URL is required so that it may be queried for trust
information.

Cookie path

The path that is specified when the authentication cookie is
written.

Cookie domain

The domain for which the cookie is valid.

Return URL

The URL that the token from the Federation Service comes back to
after authentication at the Federation Service. This URL should
match the Audience element of the token. The check against the
Audience element is performed by the Windows service.

AD FS Web Agent Authentication
Service

The AD FS Web Agent Authentication Service
validates incoming tokens and cookies. It runs as Local System to
generate a token by using either Service-for-User (S4U), which
allows you to obtain a Windows token for the client by supplying a
user principal name (UPN) without a password, or the AD FS
authentication package. However, the IIS application pool is not
required to run as Local System.

The AD FS Web Agent Authentication Service has
interfaces that may be called only with local remote procedure call
(LRPC), not remote procedure call (RPC). This service returns an
impersonation Windows NT access token if it is given an
AD FS security token or an AD FS cookie.